View Issue Details

IDProjectCategoryView StatusLast Update
0033017mantisbtdocumentationpublic2023-10-31 16:32
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Product Version2.3.0 
Target Version2.26.0Fixed in Version2.26.0 
Summary0033017: Mantis version visible in REST API request headers even when $g_show_version is OFF

The REST API always returns the MantisBT version in the X-Mantis-Version header, regardless of the value stored in $g_show_version config

$ curl -I
HTTP/1.1 404 Not Found
Date: Sun, 15 Oct 2023 10:48:19 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.1.3 PHP/7.4.33
X-Powered-By: PHP/7.4.33
Set-Cookie: PHPSESSID=mlr1mfkjl8h4dtaoqlo2qjeta5; path=/mantis; HttpOnly; SameSite=Strict
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Last-Modified: Sat, 14 Oct 2023 16:12:35 GMT
X-Mantis-Username: anonymous
X-Mantis-LoginMethod: cookie
X-Mantis-Version: 2.26.0-dev
Content-Length: 890
Content-Type: text/html;charset=UTF-8
Additional Information

Originally discussed in 0032980:0068159

TagsNo tags attached.


related to 0032980 closed Information leakage: summary on bug revision note 
related to 0033019 assigneddregad X-Mantis-Version headers sent when REST API is disabled 




2023-10-15 07:14

developer   ~0068213

Transcript from internal discussion on the subject

Tue, Oct 3, 2023, 10:31:02 - dregad:
is there a good reason for not hiding the X-Mantis-Version header when $g_show_version is OFF ? (for background, see 0032980:0068159)

Wed, Oct 4, 2023, 02:46:05 - vboctor (Victor Boctor):
The version is important when you are programmatically accessing Mantis since depending on the version the set of APis and functionality available will be different. It is also part of the contract. I think of show version not as avoiding information disclosure but as a UX config indicating whether to show it in the footer or not. I think we should just clarify this in the config documentation.

Wed, Oct 4, 2023, 09:15:35 - dregad:

a UX config indicating whether to show it in the footer or not

I agree it's just security through obscurity that does not achieve anything in terms of hardening a system, but regardless I think this is a decision that should be left to the admin, especially considering that this information is transmitted even if anonymous access is disabled and without the need for an API token

Wed, Oct 4, 2023, 09:55:46 - vboctor (Victor Boctor):
If someone knows a security gap they will just try it out. If login approach is to change the version would be useful even before clients having a token yet. It is important to have integrations not be impacted by inconsistencies because of random decisions.



2023-10-15 07:16

developer   ~0068214

Based on this discussion, this issue is basically a won't fix.

I'll commit a documentation change to make it clear that version can always be retrieved via REST API if enabled.



2023-10-15 09:00

developer   ~0068215

Changing category to documentation



2023-10-15 12:01

reporter   ~0068219

Hi all, please note that the version is displayed also if the API are NOT enabled.
I think that this circumstance make it a little worst.



2023-10-15 12:08

reporter   ~0068220

curl -kis http://localhost/mantisbt/api/rest/
HTTP/1.1 401 API token required
Date: Sun, 15 Oct 2023 16:06:54 GMT
Server: Apache/2.4.52 (Debian)
Set-Cookie: PHPSESSID=ukcnd48i76p4vegpqg67n9ov1l; path=/; HttpOnly
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Last-Modified: Tue, 11 Apr 2023 22:55:08 GMT
X-Mantis-Version: 2.25.7
Content-Length: 0
Content-Type: text/html; charset=UTF-8

It allows an unauthenticated user to identify the exact version (fingerprinting), no matter if API are enabled or not (in my installation are disabled).



2023-10-16 08:53

developer   ~0068224

Last edited: 2023-10-16 09:08

the version is displayed also if the API are NOT enabled.

This is wrong. I'll look into it (see 0033019).

Related Changesets

MantisBT: master 23d024eb

2023-10-15 08:35


Details Diff
Document $g_show_version not being a security feature

Fixes 0033017
Affected Issues
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/version.xml Diff File